CVE-2025-71350 Overview
CVE-2025-71350 affects picklescan versions before 0.0.28, a security scanner designed to detect malicious code embedded in Python pickle files. The scanner fails to identify malicious payloads that leverage the torch.utils.collect_env.run function inside pickle __reduce__ methods. Attackers can craft pickle files that bypass picklescan detection and execute arbitrary shell commands when a victim loads the file with pickle.load or torch.load. This vulnerability is classified under CWE-502 (Deserialization of Untrusted Data) and directly impacts machine learning workflows that rely on picklescan to vet model artifacts from public repositories such as Hugging Face.
Critical Impact
Attackers can distribute weaponized PyTorch model files that pass picklescan checks and execute remote commands on victim systems during model loading.
Affected Products
- picklescan versions before 0.0.28
- PyTorch-based workflows using picklescan for pre-load model verification
- ML pipelines that ingest untrusted .pkl or .pt files from public model hubs
Discovery Timeline
- 2026-06-30 - CVE-2025-71350 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2025-71350
Vulnerability Analysis
The vulnerability resides in picklescan's allowlist and detection logic for dangerous callables invoked inside pickle __reduce__ methods. Python's pickle protocol allows any object to define a __reduce__ method that returns a callable and arguments to be executed during deserialization. Security scanners like picklescan enumerate known-dangerous functions such as os.system, subprocess.Popen, and eval to flag suspicious pickle streams.
However, picklescan before 0.0.28 does not recognize torch.utils.collect_env.run as a code execution primitive. This function, part of the PyTorch environment collection utility, internally invokes subprocess.Popen to run shell commands. When placed inside a __reduce__ return tuple, it produces the same effect as calling subprocess directly, but evades static detection.
Root Cause
The root cause is an incomplete deny list of dangerous callables. picklescan relies on an enumerated set of known-unsafe functions to identify malicious pickle content. Any function not present in that list, including indirect wrappers around subprocess such as torch.utils.collect_env.run, is treated as safe. This is a fundamental limitation of allowlist- and denylist-based approaches to deserialization safety.
Attack Vector
An attacker uploads a malicious pickle or PyTorch model file to a public model repository or delivers it via phishing. The pickle payload defines a __reduce__ method that returns (torch.utils.collect_env.run, ("attacker_command",)). When the victim scans the file with picklescan, no threats are reported. When the victim subsequently calls pickle.load or torch.load, the embedded command executes with the privileges of the loading process. Refer to the Vulncheck Advisory for Picklescan for full technical details.
Detection Methods for CVE-2025-71350
Indicators of Compromise
- Pickle or PyTorch model files containing references to torch.utils.collect_env.run in their opcode stream
- Unexpected child processes spawned by Python interpreters immediately after torch.load or pickle.load calls
- Outbound network connections originating from ML training or inference hosts shortly after model loading
- Presence of picklescan versions below 0.0.28 in requirements files or virtual environments
Detection Strategies
- Inspect pickle files with pickletools.dis and search for GLOBAL opcodes referencing torch.utils.collect_env
- Upgrade to picklescan 0.0.28 or later and rescan all previously validated model artifacts
- Enforce endpoint monitoring for shell processes descending from Python interpreters loading third-party models
- Correlate model file hashes with known-good baselines from trusted internal registries
Monitoring Recommendations
- Log all invocations of torch.load and pickle.load in production ML pipelines with source file provenance
- Alert on any subprocess, sh, bash, cmd.exe, or powershell.exe process launched by a Python parent handling model files
- Monitor egress traffic from ML training clusters for connections to non-approved destinations
How to Mitigate CVE-2025-71350
Immediate Actions Required
- Upgrade picklescan to version 0.0.28 or later across all development, CI, and production environments
- Rescan every third-party pickle and PyTorch model file previously validated by an older picklescan version
- Restrict model loading to files sourced from internally controlled and cryptographically signed registries
- Run model deserialization inside sandboxed containers with no outbound network access and minimal filesystem privileges
Patch Information
The maintainers of picklescan addressed the issue in version 0.0.28 by extending the detection ruleset to cover torch.utils.collect_env.run and related indirect execution primitives. Full remediation details are documented in the GitHub Security Advisory.
Workarounds
- Migrate model serialization to safer formats such as safetensors, which do not permit arbitrary code execution during load
- Load untrusted pickle files only inside isolated, non-privileged sandboxes with strict egress controls
- Implement additional pre-load static analysis using pickletools to enumerate all GLOBAL opcodes and manually review external references
# Upgrade picklescan to the patched release
pip install --upgrade 'picklescan>=0.0.28'
# Verify the installed version
python -c "import picklescan; print(picklescan.__version__)"
# Rescan model artifacts recursively
picklescan --path /path/to/models --recursive
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

